Skip to main content

Snorkel CVE-2026-31222

| EUVDEUVD-2026-29506 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-12 mitre GHSA-78cp-f66x-qmh5
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:55 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
8.8 (HIGH)
CVE Published
May 12, 2026 - 00:00 nvd
HIGH 8.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 pypi packages depend on snorkel (4 direct, 1 indirect)

Ecosystem-wide dependent count for version 0.10.0.

DescriptionCVE.org

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

AnalysisAI

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Technical ContextAI

Snorkel is a Python framework for programmatic data labeling and weak supervision in machine learning pipelines. The vulnerability resides in the interaction between Snorkel's Trainer class and PyTorch's checkpoint loading mechanism. PyTorch's torch.load() function uses Python's Pickle protocol for serialization, which can execute arbitrary code during deserialization. While PyTorch introduced the weights_only=True parameter to restrict deserialization to tensor data only, Snorkel v0.10.0 and earlier versions call torch.load() with default settings that permit full object deserialization. This creates a CWE-502 (Deserialization of Untrusted Data) vulnerability where any Python object-including those with __reduce__ methods that execute system commands-can be embedded in a model file and triggered when loaded.

RemediationAI

Upgrade to Snorkel versions newer than v0.10.0 when a patched release becomes available; monitor the official GitHub repository (https://github.com/snorkel-team/snorkel) and PyPI package updates for security releases addressing CVE-2026-31222. No vendor-released patch version is independently confirmed from available data at time of analysis. As interim compensating controls: restrict Trainer.load() usage to checkpoint files from trusted, verified sources only; implement file integrity verification using cryptographic signatures or hashes before loading any model checkpoints; apply filesystem permissions to prevent unauthorized modification of checkpoint directories; deploy application sandboxing (containers, VMs with limited privileges) to contain potential code execution if malicious models are loaded; consider patching the local Snorkel installation by modifying Trainer.load() to call torch.load() with weights_only=True, though this may break legitimate functionality if checkpoints contain non-tensor objects. Network-based controls are ineffective as exploitation occurs during local file processing. Organizations not loading third-party or user-supplied checkpoint files face minimal risk and may defer patching until operational updates.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2023-39913 HIGH
8.8 Nov 08

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK

Share

CVE-2026-31222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy